Security Listings

8.7

CVE-2025-3602 GraphQL queries does not limit depth

Description

Liferay Portal and Liferay DXP does not limit the depth of a GraphQL queries, which allows remote attackers to perform denial-of-service (DoS) attacks on the application by executing complex queries.

Severity

8.7 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N)

Affected Version(s)

Liferay Portal 7.4.0 through 7.4.3.97
Liferay DXP 2023.Q3.1 through 2023.Q3.2
Liferay DXP 7.4
Liferay DXP 7.3 GA through Update 35
Liferay DXP 7.2 FP8 through FP20

Fixed Version(s)

Liferay Portal 7.4.3.98
Liferay DXP 2023.Q3.3
Liferay DXP 7.3 U36

CVE-2025-3602

Publication Date:

October 25, 2024

Found a Bug?

If you have found, or think you have found a bug, help us to help you by letting us know!

Learn How >

Found a Security Vulnerability?

There's a different process available if you have a security issue to report...

Learn How >

Hall of Fame!

Raise your profile - report security vulnerabilities and enter the Hall of Fame!

Learn How >

Community

Company

Feedback